CVE-2025-10188 is a medium-severity security vulnerability classified as CWE-352 (Cross-Site Request Forgery) affecting The Hack Repair Guy's Plugin Archiver WordPress plugin, versions up to and including 2.0.4. The root cause is the absence or improper implementation of nonce validation in the bulk_remove() function, which is responsible for bulk deletion operations within the /wp-content directory. Nonces in WordPress are security tokens used to verify that requests are intentional and originate from legitimate users. Without proper nonce validation, attackers can craft malicious requests that, when executed by an authenticated administrator (via clicking a link or visiting a URL), trigger unauthorized directory deletions. This vulnerability does not require the attacker to be authenticated but does require the administrator's interaction, making it a CSRF attack vector. The impact includes potential loss of plugin files or other critical content stored in /wp-content, affecting site integrity and availability. The vulnerability has a CVSS v3.1 base score of 5.4, indicating a moderate risk level. No public exploits have been reported yet, but the vulnerability is publicly disclosed and documented in the CVE database. The lack of patch links suggests a fix may not yet be available or publicly released, emphasizing the need for immediate mitigation steps.

The primary impact of this vulnerability is the unauthorized deletion of directories within the /wp-content folder of WordPress sites using the affected plugin. This can lead to loss of plugin data, themes, uploads, or other critical site content, potentially causing site malfunction or downtime. The integrity of the website is compromised as attackers can remove essential files without direct authentication, relying on social engineering to trick administrators. Availability is also affected since deleted directories may disrupt site functionality until restored. Confidentiality is not directly impacted since the vulnerability does not allow data disclosure. Organizations worldwide running WordPress sites with this plugin are at risk, especially those with multiple administrators or less security-aware staff. The attack requires user interaction, which may limit exploitation scope but does not eliminate risk. The absence of known exploits in the wild reduces immediate threat but does not preclude future attacks. Overall, the vulnerability poses a moderate risk of site disruption and data loss, potentially impacting business continuity and reputation.

1. Immediate mitigation should include disabling or uninstalling The Hack Repair Guy's Plugin Archiver plugin until a patch is available. 2. If disabling is not feasible, restrict administrative access and educate administrators to avoid clicking unknown or suspicious links. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious bulk_remove() requests or CSRF attack patterns targeting the plugin. 4. Monitor server and WordPress logs for unusual deletion activities within /wp-content. 5. Regularly back up the /wp-content directory and the entire WordPress installation to enable quick restoration in case of deletion. 6. Once a patch is released, promptly update the plugin to the fixed version. 7. Consider adding additional nonce or token validation at the web server or application level as a temporary safeguard. 8. Employ security plugins that provide enhanced CSRF protection and administrative session management. 9. Limit the number of administrators and enforce strong authentication mechanisms to reduce the risk of social engineering exploitation. 10. Conduct security awareness training for administrators focusing on phishing and social engineering risks.